Feeds

Security muddle better than FUDdle

Meanwhile, in the real world...

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

Whether it's a student slipping contraband past airport metal detectors, or a researcher modeling an unstoppable computer virus - demonstrations just don't do justice to the real state of security, writes SecurityFocus columnist George Smith.

Look at a photo of Nathaniel Heatwole, the student who performed pro bono security testing on Southwest Airlines. Neat and freshly-scrubbed, he's a good fellow at Guilford College, the winner of a cash award for ham radio broadcasters -- a white-hat hacker trying to make air travel safer.

Not only did Heatwole push box-cutters and other items symbolically meant to appear menacing through airport security, he also showed that the sharing of information isn't so hot. Heatwole warned the Transportation Security Administration about his work in e-mail. The TSA, however, receives 5,700 e-mails a day. In the electronic blizzard, the notification was missed for weeks.

This play has repeated itself in every aspect of physical and electronic security for as long as I've written about the subject. Anyone who has followed the public history of computer intrusion will find the Heatwole case reminiscent of things they have either had to deal with personally or learned of through schooling and the media.

Sending Heatwole to trial is a waste of time. No one was threatened or put in danger, and even the agency that received the black eye, the TSA, didn't have its leaders or employees personally singled out for embarrassment. There was no inconvenience or economic loss. Heatwole has even been reticent with the media, so even if an aim was to be showy, he's been low-key about it.

However, do such things improve security?

After years of thinking about the subject and witnessing similar cases weekly, my gut feeling is they don't. Despite good intent, and even with attention paid, Heatwole will not make security better on the airlines. There are too many carry-on bags to screen with the degree of discernment required to catch everything, and the airlines won't have any customers if they're required to strip search them or nail the bathrooms shut on all flights.

In parallel, it's my hunch that the nation is saturated with news and alarms about security. From gaffes at the national labs, to the Government Accounting Office's stream of reports on poor computer security in various agencies, to Bret McDanel who warned co-workers at his former employer that their e-mail was compromised and had to spend sixteen months in prison before justice finally realized he had done no wrong, the word is always present. Security is too porous, people are screwing up, procedures are rotten, problems are going to be exploited and the house of cards is destined to collapse.

Maybe it's all true.

However, in the rush to publicize that which must be fixed right away the story poorly told is that the infrastructure is managed and kept stable by a just-in-time come-as-you-are workforce. And as a practice -- even though this looks wobbly -- globally and over time, it works.

In the past, I've called this laissez faire computer security, but that's not entirely accurate. It doesn't give nearly enough credit to the people who daily keep their bailiwicks running, clean up after the mistakes of others and work collegially across borders to put out whatever electronic fire must be put out.

Such tenacity and resilience cannot be measured in government reports, although the cost of their overtime labor is always said to be crippling during computer virus outbreaks or surges in the emergency application of serial Microsoft patches. One could just as well discount such alleged expense with the argument that the people are always engaged in productive work, and that we'd see the real cost of network insecurities only if the entire fix-it crew were to permanently disappear all at once.

And the Nathaniel Heatwoles of security, while doing their spot test things, cannot give us an idea about the survivability of a system that during crisis is critically dependent upon people. There's an obvious difference between the galvanizing effect of hiding boxcutters in the bathroom and actually coming out of the watercloset brandishing them. Similarly, describing how a virus can evade anti-virus updates and circle the globe in a flash doesn't really describe its fight vs. people-with-networks and the probable outcome as it transpires.

The challenge to security men and women is to separate being part of a process that is ostensibly about security, but without hope of bettering it, from the thankless work of combining ingenuity with the networked world's equivalents of spit and bailing wire. Should you be a showman if you think no one is paying attention? How effective is sowing suspicion and fear of things to come as a security tool? Or is getting pretty good at just gettin' by fine?

Whatever the answer over the next few years, it'll have to do.

Copyright © SecurityFocus

George Smith is a Senior Fellow at GlobalSecurity.org, a defense affairs think tank and public information group. He also edits the Crypt Newsletter and has written extensively on viruses, the genesis of techno-legends and the impact of both on society.

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.